Friday, September 26, 2014

Shellshock Bash Exploit in Windows

Searching for bash.exe in Windows, I found several instances of Bash, all of which were vulnerable to the Shellshock exploit. Anyone who develops programs or web applications in Windows may have one or more instances of Bash. Anyone who uses Git in Windows almost certainly will have at least one.

First, I used the Windows File Explorer to search each disk drive for instances of “bash.exe”.

Then, using some advice from Scott Simpson at http://www.lynda.com/articles/shellshock-bash-exploit, I ran the following commands:

cd <directory containing bash.exe>
>.\bash
PATH=$PATH:.
bash-3.1$ env x='() { :;}; echo vulnerable' bash -c "echo done
running"
vulnerable
done running
bash-3.1$

I also tested “sh.exe” the same way, in case it happened to be just a copy of “bash.exe”.

Here are the places where I found “bash.exe” on my development machine. You may find similar ones on yours.

1.) C:\Program Files (x86)\Git\bin\bash.exe
    GNU bash, version 3.1.0(1)-release (i686-pc-msys)
    C:\Program Files (x86)\Git\bin\sh.exe
    GNU bash, version 3.1.0(1)-release (i686-pc-msys)
2.) C:\DevKit\bin\bash.exe
    GNU bash, version 3.1.17(1)-release (i686-pc-msys)
    C:\DevKit\bin\sh.exe
    GNU bash, version 3.1.17(1)-release (i686-pc-msys)  
3.) C:\MinGW\msys\1.0\bin\bash.exe
    GNU bash, version 3.1.17(1)-release (i686-pc-msys)
    C:\MinGW\msys\1.0\bin\sh.exe
    GNU bash, version 3.1.17(1)-release (i686-pc-msys)
4.) C:\Users\<user>\AppData\Local\GitHub\PortableGit…\bin\bash.exe
    GNU bash, version 3.1.0(1)-release (i686-pc-msys)
    C:\Users\<user>\AppData\Local\GitHub\PortableGit…\bin\sh.exe
    GNU bash, version 3.1.0(1)-release (i686-pc-msys)

Every one of these turned out to be vulnerable, even though most had been installed recently. I haven’t yet found a Windows version of “bash.exe” patched to prevent the Shellshock exploit.

In practice, my system probably isn’t actually vulnerable to this particular exploit since I don’t normally run any server that executes CGI scripts, plus my firewall prevents incoming requests on the ports used by my servers in development mode. It’s only a development machine, not a production one.

An additional precaution is that none of the paths in my default Windows PATH variable permit bash.exe to be run. You easily can test this on your own machine: Start the Windows command console, cmd.exe. and type “bash”. If it runs, probably not a good thing. If  it fails to run, so much the better.

There is a patch available for other operating systems that is discussed here:
http://security.stackexchange.com/questions/68290/how-does-the-shellshock-patch-actually-prevent-the-problem

No comments: